Last updated: 2024-03-12

  1. Learn
  2. Next Steps
  3. Keycloak Configuration

Configuration of Keycloak for Spring Boot

To connect our Spring Boot application to an external Keycloak server, there are a couple of required or useful settings. This article covers the configuration of a Keycloak server for local development, or as a basic guideline for online servers. How to connect Keycloak to our Spring Boot app using OAuth/OIDC is described in this article.

If Keycloak has been enabled in the Security tab in Bootify, the setup described below is required. A file keycloak-realm.json is available in the project root or in the src/test/resources folder if integration tests are enabled. This can be used to generate a realm with exactly this setup. This file already contains a test user and a project specific secret. When using the DevServer, the redirect URLs must include the port 8081 as well.

Keycloak download and first start

First of all Keycloak should be downloaded in the current version 24.0.4. The zip file is available here. After unpacking, the server can be started using ./bin/kc.sh start-dev --http-port 8085 (or kc.bat under Windows). By using port 8085 there will be no conflict with the default port of our Spring Boot application.

Our local Keycloak server should now be accessible at http://localhost:8085. After the first start we need to provide the admin credentials to access the administration UI.

Create Keycloak realm

After we are logged in as admin, we first create our realm without providing a resource file. Here we use "bootify" as realm name.

Creating our Keycloak realm

Creating our Keycloak realm

In the Realm settings we activate the user registration - this will allow a user to register himself if he does not have a login yet.

Configuring login settings of our new realm

Configuring login settings of our new realm

We also enable the "Email as username" option - so there is no need to specify a dedicated username.

OAuth login page after allowing self registration

OAuth login page after allowing self registration

Create Keycloak client

The client in this context describes an application that can connect to Keycloak - so this corresponds to our Spring Boot application. We create it within our new realm.

Starting to create our client application

Starting to create our client application

Within the "Capability config" we select the client authentication. If we are working with server-side rendering, we can active this setting - so our server must store and provide a secret. If we are working with a client SPA like Angular, we must deactivate this setting - as we cannot securely safe the secret, the OIDC type is public and no secret must be provided.

Enabling client authentication

Enabling client authentication

We specify http://localhost:8080/* as a valid redirect URL for development - add port 8081 on top when using the DevServer.

Configuring our redirect URL

Configuring our redirect URL

Since we have already activated the client authentication, the tab "Credentials" is available for our client. Here we can now generate the secret and enter it in the application.yml / application.properties of our Spring Boot app. The key for that is spring.security.oauth2.client.registration.{provider-id}.client-secret - further settings are described in the already linked article.

Copying the client secret into our Spring Boot app

Copying the client secret into our Spring Boot app

Role configuration

Since Keycloak is primarily an IDP (Identity Provider), it also makes sense to manage the roles within Keycloak. To do this, we first need to create a role and later provide it to our Spring Boot app via the ID token.

Creating ROLE_USER as realm role

Creating ROLE_USER as realm role

In the Realm Settings under the tab "User registration" we now automatically assign our role to each registered user.

Assigning our role to each registered user

Assigning our role to each registered user

This means that our users already have the desired role - but we still have to make it available in our application. To do this, we first select our created application under "Clients" and then go to the dedicated scopes in the "Client scopes" tab.

Opening the mapper definition of our client

Opening the mapper definition of our client

Here we select the predefined mapper "Realm role".

Selecting a predefined mapper

Selecting a predefined mapper

When creating it, we also activate the "Add to ID Token" option.

Adding realm roles to the ID Token

Adding realm roles to the ID Token

This completes our Keycloak setup! When we connect our Spring Boot application to our client as described, users can register and log in on their own. Users are automatically assigned the ROLE_USER which we can read via the ID token within our Spring Security config.